Transcription

1 Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

2 Massachusetts MA 201 CMR Best Practices for Compliance 1 Overview MA 201 CMR has been in the news for the last 18 months. Whilst no one was sure when it would come into effect, it has now been confirmed that the Massachusetts information security regulations, entitled Standards for the Protection of Personal Information of Residents of the Commonwealth, also known as MA will take effect on March 1, The regulations apply to entities that own or license personal information about Massachusetts residents. It is important to note that rules apply to all entities, wherever located, with personal information of Massachusetts residents. For most organizations this is yet another complex and hard to grasp piece of law to comply with. Why has Massachusetts decided to design and enact MA 201? What is meant by personal information? How are you supposed to safeguard it? What are the best practices to ensure compliance and what are the steps you need to take to achieve and maintain compliance with MA 201? What is the upside of MA 201 for your business if any? Why has Massachusetts decided to design and enact MA 201? There has been a significant number of high-profile data breach cases in the US over the past few years. For instance, in 2007 TJX Companies Inc., the global conglomerate that includes T.J. Maxx, T.K. Maxx, Marshalls and Winners, lost at least 45 million credit cards after systems were penetrated by hackers. In 2009 Networks at Heartland Payment Systems were hacked, exposing data on 130 million credit card users and, also in 2009, the Network Solutions data security breach exposes a half-million credit card numbers. In addition, breaches must be reported in 45 US States and Federal Breach Disclosure law is on its way. It is worth noting that the State of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation. However, security experts always warn that breach notification alone is insufficient. This is a re-active measure to ensure that crisis management procedures are put in place to contain the issue, to inform citizens that their data has been or may have been compromised and restore confidence in the markets after an incident has taken place. What is required is a more pro-active data protection approach with focus on protecting personal information before incidents happen. This is not meant to replace Data Breach Protection but rather to complement it. It is also worth noting that regulators determined that data in transit or on portable devices is most at risk and that several US States such as Nevada already require that such data be subject to additional levels of protection, such as encryption and associated policies. Nevada even requires designated organizations to comply with industry standards such as PCI DSS (Payment Card Industry Security Standards) which sets out technical and logical controls around cardholder data protection. Massachusetts is the first to take this pro-active approach in the US and it seems that it is determined to ensure that personal information is adequately protected. Litigation and enforcement will be driven by the Massachusetts Attorney General. Massachusetts law requires notice to the Attorney General and

3 Massachusetts MA 201 CMR Best Practices for Compliance 2 OCABR of any breach, in addition to affected consumers and the Attorney General likely is to wish to investigate based on breach reports. At this stage there are no clear private right of action or penalties regarding enforcement however one thing is for sure, MA 201 CMR will be enforced. What is Personal Information? Personal information is defined as a combination of a resident s first and last name and Social Security number, driver s license or state ID number, or financial account number or payment card number that permits access to the individual s financial account. This is key to understanding the type of data covered by MA 201. How are you supposed to Safeguard it? One needs to understand the type of safeguards required to comply. Organizations must have a mix of physical and logical safeguards as well as policies and procedures and awareness training for staff. This will involve the following tasks: a) Design and promotion of a written Information Security Program ( WISP ) b) Asset inventory and asset classification process for data & physical assets c) Risk assessment process, ideally involving a risk treatment procedure d) Contracts to govern 3 rd Party management (e.g. suppliers, contractors) e) Identity and access management policies and associated log trails f) Incident Response Plan g) Encryption (for specific data) h) Configuration & Vulnerability Management Policy There has been a lot of talk about the Written Information Security program ( WISP ) that businesses must put in place. Broadly speaking this covers policies and procedures allowing organizations to inventory and classify their physical and logical assets, an acceptable usage policy governing how corporate communication tools used to transmit, store or process personal information can be used by staff this includes , Internet, IM, social networking, USB memory keys, etc. It also requires an Incident Response Plan, an access control policy, an education program for staff a disciplinary procedure for non-compliant staff, a process for managing accounts and rights of terminated or leaving staff.

4 Massachusetts MA 201 CMR Best Practices for Compliance 3 It is important to realize that the WISP must contain administrative, technical and physical safeguards that are appropriate to the Entity s size, scope and type of business, Entity s resources, amount of stored data, need for security and confidentiality of both consumer and employee information. i It is also relevant to note that the WISP must also allow the entity to comply with applicable State and federal laws. One key element of MA is to designate a Data Security Coordinator who is an employee(s) responsible to develop security policies for employees, Including keeping, transporting and accessing records and data off-site. This is most likely going to be a Chief Security Officer or Chief Compliance Officer, C-Level person or senior manager. Focus on technical security solutions required to comply: In terms of technical controls, entities must establish and maintain a security system for their computer systems and network. This includes, but is not limited to, the following technical solutions: Firewalls Security Patching (whether installed manually or through and automated solution) Anti-Virus and Malware protection software If technically feasible laptops and other portable devices must be encrypted, as must all records and files transmitted over public networks All computer systems must be monitored for unauthorized use of or access to personal information A password policy and protocol for control of User IDs and identifiers must also be in place Vulnerability Management solutions must be in place so as to ensure that all systems are properly patched and secure. In addition, entities must demonstrate that they restrict physical access (with locks), prevent access to personal information by former employees ideally addressed by a leaver s policy and an associated check list to ensure that all corporate communication media devices such as laptops, PDAs, phones, USB keys are returned and analyzed for unusual activity. If such activity is detected then the incident response plan is to be launched.

5 Massachusetts MA 201 CMR Best Practices for Compliance 4 Continuous Compliance aspect of MA : Regular monitoring must be enforced to ensure the program is operating, Should it not or should technical solutions need be upgraded, the entity needs to take corrective action. The security measures put in place by the entity as well as the WISP must be reviewed annually or whenever there is a material change in business. Focus on Vulnerability Management: Whilst MA does not specifically require entities to use specific type of vulnerability management solutions, it does require entities to ensure that all systems containing personal information are protected and that there must be reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and anti-virus definitions. This is best achieved by using vulnerability management software that scans IP addresses for known vulnerabilities and provides a view of what hackers would see form the outside in and provides advice on remediation work to be carried out. Focus on Education and Training: Under MA entities must provide security awareness training to all staff and must ensure that they receive a copy of the WISP and acknowledge in writing that they have receive the copy. In addition, it is worth noting that staff employment contracts must be written in such a way that they have to comply with provisions of the WISP. This is based achieved through face-to-face of elearning training sessions covering the basics of security. Ideally businesses will want to be able to distribute the WISP (or attach the WISP in the case of elearning) and keep track of written or electronic acknowledgement of receipt of the WISP. Focus on Third Parties Management: As with most legal and industry security frameworks, MA puts great emphasis on managing third party involved in the business of affected entities. Specifically, MA makes it mandatory for entities to ensure that no third party engaged by them can become the weakest security link in the trust chain put in place under the WISP such that a third party does not become a risk to the overall security posture of the business. As such, covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information. Covered entities must contractually require their service providers to safeguard personal information [ ] provided, however, that service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012.

6 Massachusetts MA 201 CMR Best Practices for Compliance 5 Upside It is clear that Massachusetts 201 CMR can be seen by covered entities as a burden in terms of operational duties, time and effort. However it is worth acknowledging that earlier versions were putting even stricter rules for all entities. The current MA states that duty to protect personal information through information security program modified to allow the administrative, technical and physical safeguards to be appropriate to Size, scope and type of business, Amount of resources and data, Need for security and confidentiality of the data. This should be welcome by covered entities as it provides them with more flexibility especially for small businesses. In fact, small businesses would be advised to read the Small Business Guide: Formulating A Comprehensive Written Information Security Program 1 which provides a lot of very insightful and useful information on how to comply with MA The main upside of MA is that it is fully in line with security best practices and compliance with it will bring you a long way towards compliance with other legal and industry frameworks such as Data Breach Notification laws, ISO 27001, Payment card Industry Data Security Standard (PCI DSS) and vice versa. It is also worth noting that the pro-active nature of MA , as opposed to Data Breach Notification laws which entities are more widely in compliance with, aligns organizations closer to the European Data Protection Directive which is the basis for most data protection legislation in the EU so if your organization is also doing business in the EU, then MA compliance will make it easier for you to comply with EU Data Protection Mandates. The main thing to keep in mind is that every requirement of MA is something that every organization needs to be doing to protect personal information. It is simply best practice and common sense to ensure that sensitive data is protected by physical and logical safeguards and based on a risk assessment and associated risk treatment which takes into account every data and IT asset in place. This is simply best practice. About the author Mathieu Gorge is the CEO and founder of VigiTrust, a Security Innovation partner. He has been in the security industry for over 10 years and is an expert on key legal aspects of corporate security such as compliance with international data protection laws and security frameworks. He is a regular speaker at international security conferences (RSA, ENISA, ISACA) and a well respected figure in the security industry in EMEA and North America. Mathieu is also a regular contributor to the ISSA Journal and TechTarget Contact Us: Security Innovation 1 (978) x1

Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

MFA Perspective 201 CMR 17.00: The Massachusetts Privacy Law Compliance is Mandatory... Be Thorough but Be Practical DEADLINE FOR FULL COMPLIANCE HAS BEEN EXTENDED FROM JANUARY 1, 2010 TO MARCH 1, 2010

WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal

How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and

Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,

Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.

Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

International Association of Privacy Professionals Practical Privacy Series New York City MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION AND DATA SECURITY LAW Barbara Anthony Undersecretary

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Security

Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

Standards for Information Security Measures for the Central Government Computer Systems (Fourth Edition) February 3, 2009 Established by the Information Security Policy Council Table of Contents Standards

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness

INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers